Homework 2

CS155, Spring 2004

Due Thursday, June 3

Problem 1

Cygwin is a Linux-like environment for Windows, consisting of two parts: a
DLL (cygwin1.dll) that acts as a Linux emulation layer, and collection of tools
that provide Linux functions. Recall from Lecture 9 that under Windows, the
permissions on an object are given by a security descriptor (SD), which includes
the security identifier (SID) of the owner, the SID of the group, and an ACL of
SIDs and their permissions. An element of an ACL is called an access
control element (ACE) and contains three parts: the type of the ACE,
permissions, and the SID for which these permissions apply. The two important
types of ACEs are the access allowed ACEs and the access denied ACEs. The order
of ACEs is important. The system reads them in sequence until either any needed
right is denied or all needed rights are granted. Later ACEs are then not taken
into account.

(a) Explain how you would map the rwx user, group, and other
permissions of a UNIX file to a Windows SD for that file. Do you need access
allowed ACEs, access denied ACEs, or both?

(b) Windows uses access tokens to identify a user and it's permissions. To
switch the user context, an application has to request an access token. This is
typically done by calling the Windows API function LogonUser. The access
token is returned and either used in ImpersonateLoggedOnUser to change user
context of the current process or in CreateProcessAsUser to change user context
of a spawned child process.Explain briefly how you might use these Windows
features to provide Unix setuid features in Cygwin.

Problem 2

An unnamed Ivy League University suggests that computer science instructors
set up a setuid script to allow students to copy their assignments into the
protected course area of a file system. Here is part of the instructions for
instructors: "You can use a local submission script that copies the
student's submission to the local account. This involves using a setuid script
to have the student be able to run a script as if the class account invoked the
script."

(a) What are the likely permission bits for the submit
script?

(b) Under reasonable assumptions about how and where grades might be stored,
how might you use this script to change your course grade? Do not assume that
you will be able to modify the script.

Clarification: Your exploit in 2b) should work on this example of a submit script. We don't expect you to know Perl for this class, but the comments should give you a fair idea of what the code is doing. You can run this script on the elaines if you'd like, but you might want to change the value of the submitdir variable for testing.

Problem 3

One security problem with TCP based network services is that anyone can
remotely test whether the service is available. For example, by
attempting to connect to port 25 on a specific machine anyone
can test whether that machine is running an SMTP server. This makes
it easier to find machines that are vulnerable to sendmail bugs.

Can you suggest a method by which only authorized users
who posses a certain secret will get a response to a TCP SYN packet?
Hint: look for "port knocking".

Problem 4

In class we saw that Microsoft's NGSCB project requires a special
tamper resistant chip one every machine. The chip holds a secret
key used for signing the boot executable code. These signatures
are then used for attestation, i.e. for proving to a remote server
what code is running on the user's machine.

(a) Suppose user A is able to extract the secret signing key
from the tamper resistant chip in his machine. Explain the implications
of this for the validity of the attestation process. How could A
use this key to fool a remote server about the software running on A'a
machine?

(b) How would you defend against this problem?
You may assume that the private key extracted from the chip is
published on the web (anonymously) so that anyone can mount
the attack from part (a).

Problem 5

Slide 20 of Lecture 14 shows an IP spoofing attack that was devised in 1985
for 4.2 BSD Unix. One shortcoming of this and other early versions of Unix is
that sequence numbers for network packets are chosen very predictably. In
particular, 4.2 BSD maintains a global initial sequence number that is
incremented by 128 each second and by 64 after each connection is started.

For concreteness, let us assume that host A, the intended victim, listens on
port 514 for remote execution requests. When a request arrives on this port, A
checks the originator of the request against a list of trusted hosts in the .rhosts
file. This comparison uses the source IP address field in the arriving packet.
Assume that host B in slide 20 of Lecture 14 is in the .rhosts file of machine
A.

Since ports are managed by TCP, a TCP connection must be established before a
remote execution request can be issued and completed. As we saw in Lecture 14, a
TCP connection is established using a handshake of three messages: SYN, SYN-ACK,
and ACK. If a client C wants to connect to a server S, then the SYN message from
C to S contains a sequence number c chosen by C, the SYN-ACK message contains
sequence number c+1 and a sequence number s chosen by the server, and ACK
contains the sequence numbers c+1 and s+1. Another fact about TCP that is
useful in understanding the attack is that if a machine receives a message that
it is not expecting, the machine may send an RST message to "reset" the TCP connection. When a machine receives a RST message, it closes any open or
half-open port and returns to the LISTEN state, waiting for another connection.

(a) The first step of the attack is to flood some port on B, say port
21. Explain the purpose served by this step. (You may need to read the rest of
this problem to figure out the answer.)

(b) In the second step of the attack, evil E creates a real connection from
victim A. What is the purpose of this step? (Ideally, E would like to do steps
one and 2 at the same time.)

(c) The real action begins with the third step, where evil E sends a SYN
packet to A, with a forged return address. The return address on this packet is
port 21 on bystander B. How will E calculate or estimate the sequence number
that A uses? Keep in mind that since A sends a return SYN-ACK to B, evil E will
not see the sequence number in A's SYN-ACK message.

(e) In step five, E uses the now completed TCP connection on port 514 to
execute a command on A. To do this, A sends a null followed by a user name,
followed by a command. Explain some scenarios where a attacker with control of
machine E would have this kind of information. Assuming that E knows the IP
address of machine A that he or she wishes to attack, make a list of all the
other information that E must collect in order to mount this attack.

(f) This attack can be executed remotely. In other words, E does not have to
be on the same local area network as A or B. Assuming that A and B are on a
local area net behind a firewall, what kind of firewall policy would prevent
this attack without blocking any "reasonable" network traffic by
honest users.